A new guide from Harvard University’s Kennedy School of Government is offering guidance to political campaigns that wish to keep hackers at bay.
The Cybersecurity Campaign Playbook (PDF) counts Robby Mook, Hillary Clinton’s Campaign Manager from the 2016 campaign, and Matt Rhoades, Mitt Romney’s 2012 Campaign Manager as contributors. It calls on campaigns to embrace cloud computing and secure log-in technologies like two-factor authentication, and to spend more resources and effort educating campaign staff about cyber security risks.
The guide follows on the heels of a contentious and fraught 2016 presidential election cycle, in which the hack of senior members of the Hillary Clinton campaign, and the subsequent release of thousands of stolen emails played a prominent role. However, sophisticated, targeted attacks on presidential campaigns are nothing new. Hackers believed to be working for the Chinese government are reported to have broken into both the John McCain and Barack Obama campaigns in 2008. In 2012, the Romney and Obama campaigns were also the subject of repeated hacking attempts, as well.
Those forays were widely interpreted as information gathering campaigns – in a long tradition of spy craft aimed at understanding the motives and policies of an incoming administration. However, the 2016 campaign marked a new chapter in election hacking, with stolen information ‘weaponized’ by sites like Wikileaks and used to influence the course of the campaign and the sentiments of voters.
In a letter introducing the guide, Mook and Rhoades, who are both serving as fellows at The Kennedy School’s Belfer Center, said that the professionals who run campaigns have a responsibility to protect their “candidate and organization from adversaries in the digital space.” The two announced in July that they were joining forces to fight election hacking as part of an initiative called “Defending Digital Democracy.”
“Cyber adversaries don’t discriminate. Campaigns at all levels – not just presidential campaigns – have been hacked. You should assume you are a target,” the guide notes.
The guide was created and published by the Belfer Center, along with VIPs including Heather Adkins, Google’s Director of Information Security and Privacy, Dmitri Alperovitch, the CTO of CrowdStrike and Alex Stamos, Facebook’s Chief Security Officer. It offers a range of advice, including hand outs for campaign staff and even family members of campaign staff.
Noting that people are the biggest vulnerability for campaigns, the guide focuses on education and promoting best practices from the leadership level on down. Recommendations include familiar security bromides such as to keep work and personal data separate, to beware of suspicious email attachments and links, “trust your gut.” The guide throws its weight behind cloud based storage and applications, including Google’s office suite and Microsoft’s cloud-based Office365. Managed cloud assets are easier to secure and maintain than those owned and operated by the campaign, the guide says.
On the question of protecting email accounts, the guide recommends using an “auto delete” feature to remove old email from accounts and reducing the amount of data stored in an account, should it be compromised. Strong passwords and two-factor authentication are also encouraged, as is heavy vetting of consultants and other seeking access to sensitive campaign data.
The guide also recommends that campaigns have a detailed disaster plan ready in case the worst happens, with outside legal counsel and security experts ready to parachute in and coordinate the campaign’s response to the breach.